Apply a seccomp-BPF syscall allowlist by default

Derived from Podman's default profile, stripped of capability-conditional
rules (we never grant capabilities), argument filters, and the explicit
EPERM block. Dangerous syscalls (mount, unshare, ptrace, bpf,
perf_event_open, io_uring_*, keyctl, kexec_*, ...) fall through to the
default ENOSYS action, which also keeps glibc's clone3 -> clone fallback
working. x86_64 and aarch64 are supported; other archs error out.

Toggle with --seccomp / --no-seccomp or seccomp = <bool> in config.

src/sandbox.rs

@@ -3,6 +3,7 @@ use std::process::Command;
 
 use crate::agents;
 use crate::blacklist;
+use crate::seccomp;
 use crate::{SandboxConfig, SandboxError, SandboxMode};
 
 pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
@@ -41,6 +42,10 @@ pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
 
     apply_masks(&mut cmd, &config.mask);
 
+    if config.seccomp {
+        add_seccomp_filter(&mut cmd)?;
+    }
+
     cmd.args(&config.bwrap_args);
 
     cmd.arg("--")
@@ -194,3 +199,9 @@ fn add_ro_bind(cmd: &mut Command, path: &Path) -> Result<(), SandboxError> {
 fn resolve_bind_source(path: &Path) -> Result<PathBuf, SandboxError> {
     std::fs::canonicalize(path).map_err(|_| SandboxError::PathMissing(path.to_path_buf()))
 }
+
+fn add_seccomp_filter(cmd: &mut Command) -> Result<(), SandboxError> {
+    let fd = seccomp::write_program_to_memfd()?;
+    cmd.arg("--seccomp").arg(fd.to_string());
+    Ok(())
+}